U.S. patent application number 16/189909 was filed with the patent office on 2019-03-14 for location based authentication.
The applicant listed for this patent is Visa U.S.A. Inc.. Invention is credited to Patrick Faith, Ayman Hammad.
Application Number | 20190080320 16/189909 |
Document ID | / |
Family ID | 40580421 |
Filed Date | 2019-03-14 |
United States Patent
Application |
20190080320 |
Kind Code |
A1 |
Hammad; Ayman ; et
al. |
March 14, 2019 |
LOCATION BASED AUTHENTICATION
Abstract
A portable consumer device that is used to conduct a transaction
at a merchant is authenticated. Information provided to a server
computer includes locations of a merchant and a mobile
communication device possessed by a consumer. If the location of
the mobile communication device corresponds to the location of the
merchant, the portable consumer device that is used to conduct the
transaction is authenticated.
Inventors: |
Hammad; Ayman; (Pleasanton,
CA) ; Faith; Patrick; (Pleasanton, CA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Visa U.S.A. Inc. |
San Francisco |
CA |
US |
|
|
Family ID: |
40580421 |
Appl. No.: |
16/189909 |
Filed: |
November 13, 2018 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
15632189 |
Jun 23, 2017 |
10163100 |
|
|
16189909 |
|
|
|
|
12258322 |
Oct 24, 2008 |
9721250 |
|
|
15632189 |
|
|
|
|
60982682 |
Oct 25, 2007 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06Q 20/40 20130101;
G06Q 30/0212 20130101; G06Q 20/3825 20130101; G06Q 20/32 20130101;
G06Q 20/3223 20130101; G06Q 20/401 20130101; G06Q 40/025 20130101;
G06Q 30/00 20130101; G06Q 40/00 20130101; G06Q 30/0215 20130101;
G06Q 20/20 20130101; G06Q 20/3274 20130101; H04L 63/18 20130101;
G06Q 20/3276 20130101; G06Q 20/387 20130101; G06Q 40/128 20131203;
G06Q 40/12 20131203; G06Q 10/087 20130101; G06Q 20/102 20130101;
G06Q 30/0601 20130101; G06Q 20/10 20130101; G06Q 20/3224
20130101 |
International
Class: |
G06Q 20/38 20120101
G06Q020/38; G06Q 10/08 20120101 G06Q010/08; G06Q 20/40 20120101
G06Q020/40; G06Q 20/10 20120101 G06Q020/10; G06Q 20/20 20120101
G06Q020/20; G06Q 20/32 20120101 G06Q020/32; G06Q 30/00 20120101
G06Q030/00; G06Q 30/02 20120101 G06Q030/02; G06Q 30/06 20120101
G06Q030/06; G06Q 40/00 20120101 G06Q040/00; G06Q 40/02 20120101
G06Q040/02; H04L 29/06 20060101 H04L029/06 |
Claims
1-18. (canceled)
19. A method for conducting a transaction, the method comprising:
receiving, at a server, first location information associated with
a location of a mobile communication device of a user during the
transaction conducted with an access device; receiving, at the
server, second location information associated with a geographic
location of the access device at a time of the transaction, wherein
the second location information is transferred from the access
device to the mobile communication device during the transaction,
and wherein the second location information is then forwarded to
the server from the mobile communication device instead of from the
access device; using the server, determining that a portable device
held by the user is authentic when the first location information
matches the second location information; and wherein the first
location information and the second location information are
received from the mobile communication device held by the user, and
wherein the second location information is provided to the mobile
communication device directly from the access device.
20. The method of claim 19 wherein the mobile communication device
is also the portable device.
21. The method of claim 19, wherein the geographic location is a
second location, which is a particular location, and wherein the
method further comprises: if a subsequent transaction is initiated
using a different portable device at a different location,
determining that the different portable device is authentic based
on at least one of a distance between the particular location and
the different location and an amount of time elapsed between the
transaction at the particular location and the subsequent
transaction at the different location.
22. The method of claim 19 further comprising: sending a message to
the access device indicating that the portable device is
authentic.
23. The method of claim 19 further comprising: determining that a
subsequent transaction is authentic using the first location
information and the second location information.
24. The method of claim 19, wherein the second location information
is encrypted at the access device using an electronic signature
before it is transferred to the mobile communication device.
25. The method of claim 19, further comprising: contacting the user
to authenticate when the first location information and the second
location information do not match.
26. The method of claim 19, further comprising: authenticating the
user with the mobile communication device before initiating the
transaction with the access device.
27. The method of claim 19, wherein the second location information
is generated by the access device, and wherein the first location
information and the second location information are received at the
server in a same authorization request message forwarded by the
user's mobile communication device.
28. A server comprising: a processor; and a computer readable
medium, the computer readable medium comprising code, executable by
the processor, to implement a method comprising: receiving first
location information associated with a location of a mobile
communication device of a user during a transaction conducted with
an access device; receiving second location information associated
with a fixed geographic location of the access device at a time of
the transaction, wherein the second location information is
transferred from the access device to the mobile communication
device during the transaction, and wherein the second location
information is then forwarded to the server from the mobile
communication device instead of from the access device operated by
the access device; determining that a portable device held by the
user is authentic when the first location information matches the
second location information; and wherein the first location
information and the second location information are received from
the mobile communication device held by the user, and wherein the
second location information is provided to the mobile communication
device directly from the access device.
29. The server of claim 28 wherein the mobile communication device
is also the portable device.
30. The server of claim 28, wherein the fixed geographic location
is second location, which is a particular location, and wherein the
method further comprises: if a subsequent transaction is initiated
using a different portable device at a different location,
determining that the different portable device is authentic based
on at least one of a distance between the particular location and
the different location and an amount of time elapsed between the
transaction at the particular location and the subsequent
transaction at the different location.
31. The server of claim 28, wherein the method further comprises:
sending a message to the access device indicating that the portable
device is authentic.
32. The server of claim 28, wherein the method further comprises:
determining that a subsequent transaction is authentic using the
first location information and the second location information.
33. The server of claim 28, wherein the second location information
is encrypted at the access device using an electronic signature
before it is transferred to the mobile communication device.
34. The server of claim 28, wherein the method further comprises:
contacting the user to authenticate when the first location
information and the second location information do not match.
35. The server of claim 28, wherein the method further comprises:
authenticating the user with the mobile communication device before
initiating the transaction with the access device.
36. The server of claim 28, wherein the second location information
is generated by the access device, and wherein the first location
information and the second location information are received at the
server in a same authorization request message forwarded by the
mobile communication device.
37. A method for conducting a transaction, the method comprising:
providing first location information to a server computer, wherein
the first location information corresponds to a location of a
mobile communication device held by a user during the transaction
conducted with an access device; and providing second location
information to the server computer, wherein the second location
information corresponds to a geographic location of the access
device at a time of the transaction, wherein the second location
information is transferred from the access device to the user's
mobile communication device during the transaction and is
thereafter forwarded to the server computer from the mobile
communication device instead of from the access device, wherein the
server computer is configured to determine that a portable device
used in the transaction is authentic when the first location
information matches with the second location information; and
wherein the second location information is generated by the access
device, and the first location information and the second location
information are received from the mobile communication device,
wherein the second location information is provided to the mobile
communication device directly from the access device.
38. The method of claim 37 wherein the first location information
comprises global positioning system information associated with the
mobile communication device, and wherein the second location
information comprises an identifier received in an authorization
request message from the access device that is conducting the
transaction.
Description
CROSS-REFERENCES TO RELATED APPLICATIONS
[0001] This application claims priority to U.S. Provisional
Application No. 60/982,682 filed on Oct. 25, 2007, herein
incorporated by reference in its entirety for all purposes.
BACKGROUND
[0002] Many consumers use a variety of payment devices when
purchasing services and goods. Example payment devices include
portable consumer devices such as credit cards, debit cards,
prepaid purchase cards and travel cards. Other portable consumer
devices include devices that can be used instead of cash to
purchase goods or services such as a mobile communication device.
To prevent fraud, electronic commerce card associations and/or
issuers have instituted authentication systems to ensure that
payment devices are only used by authorized cardholders.
[0003] Authentication systems could be improved. For example, an
issuer may see an authorization request message coming from a
merchant, but may have no way to verify that the authentic consumer
is actually at the particular merchant. For example, an
unauthorized person may have stolen an authentic consumer's payment
card and may be using it. The issuer may have no way of knowing if
the person who is using the payment card is authentic or not.
[0004] Embodiments of the invention address these and other
problems.
SUMMARY
[0005] Embodiments of the invention are directed to authenticating
a portable consumer device that is used to conduct a transaction at
a merchant. The portable consumer device is authenticated based on
location data coming from at least two different sources. For
example, first location information may be received from a mobile
communication device possessed by a consumer and second location
information may be received from a POS terminal operated by a
merchant conducting the transaction. If the first location
information and the second location information correspond to each
other (e.g., they match), then the server computer may authenticate
the transaction. In some embodiments, the mobile communication
device may be the portable consumer device. In other embodiments,
the mobile communication device may be separate from the portable
consumer device. For example, the portable consumer device could be
a payment card.
[0006] These and other embodiments of the invention are described
in further detail below.
BRIEF DESCRIPTION OF THE DRAWINGS
[0007] FIG. 1 shows a payment processing system that can be used in
an embodiment of the invention.
[0008] FIG. 2 is a flow diagram illustrating a method for
authenticating a mobile communication device based on locations of
the mobile communication device and a merchant where the portable
consumer device is conducting a transaction in accordance with
embodiments of the present invention.
[0009] FIG. 3 is a flow diagram illustrating a method for denying
authentication of a mobile communication device conducting a
subsequent transaction based on authentication of a different
mobile communication device used in a previous transaction in
accordance with embodiments of the present invention.
[0010] FIG. 4 shows typical components or subsystems of a computer
apparatus.
[0011] FIG. 5 shows a block diagram of some components of a mobile
communication device that may be used as a payment device.
DETAILED DESCRIPTION
[0012] Some embodiments of the invention are directed to
authenticating a consumer or a portable consumer device that is
used to conduct a transaction at a merchant. In embodiments of the
invention, location information is received from at least two
sources. The location information is used to verify that the
consumer is at the same location that the transaction is being
conducted. For example, the portable consumer device can be
authenticated based on the locations of a mobile communication
device and the merchant. In some embodiments, the portable consumer
device may be a payment card, while in other embodiments the
portable consumer device may be the mobile communication
device.
[0013] In one example embodiment, the portable consumer device is a
payment card. After a transaction is initiated with the payment
card, the payment card interacts with a point of sale (POS)
terminal. The POS terminal may send an authorization request
message to the issuer of the payment card via an acquirer and a
payment processing network. A server in the payment processing
network may also determine the location of a mobile phone possessed
by the consumer. If the merchant location information and the
location information from the mobile phone match, then the server
computer may determine that the transaction is authentic. If the
merchant location information and the location information do not
match, then the server computer may not consider the transaction
authentic. The server computer may thereafter forward the
authorization request message to the issuer with an indicator that
it has determined that the consumer has been authenticated or that
the consumer has not been authenticated. If the issuer determines
that the consumer has sufficient funds or credit in the account
associated with the portable consumer device, the issuer may decide
to authorize the transaction if the consumer was authenticated.
Alternatively, the issuer may decline the transaction because the
consumer was not authenticated.
[0014] In some embodiments, instead of having a merchant send
information to the issuer via the acquirer, the mobile
communication device (or a payment application stored on the mobile
communication device) may interact directly with the payment
processing network. In some embodiments, the mobile communication
device may translate any information received from the merchant so
that the payment processing network may process and transmit the
information to an issuer. In this example, it is not necessary for
the acquirer to receive an authorization request message before the
payment processing network receives it.
[0015] In such embodiments, the mobile communication device may
also communicate directly with a point of sale (POS) terminal and
may gather information from the merchant (or vice versa) before
sending the information directly to the payment processing network.
The payment processing network may thereafter send an authorization
request message or other appropriate information to the issuer so
that the issuer can make a decision regarding whether or not to
authorize the transaction.
[0016] During the transaction process, the merchant may provide
location information to the mobile communication device. For
example, the location information may include a unique merchant
identifier that identifies the location of the merchant. The mobile
communication device then provides the location information to the
payment processing network. A global positioning system (GPS)
associated with the mobile communication device may also be used to
identify the location of the mobile communication device. The
location of the mobile communication device may then be provided to
the payment processing network.
[0017] The payment processing network can determine that the mobile
communication device is authentic if the merchant location
corresponds to the GPS location of the mobile communication device.
For example, when the mobile communication device is identified as
being in the same location as the merchant, the payment processing
network processes the transaction. Likewise, when the mobile
communication device is identified as being at a different location
from the merchant (e.g., in a different postal code), the payment
processing network does not process the transaction.
[0018] In one illustrative example, a consumer conducts a
transaction using her mobile phone at a retail outlet in San
Francisco. Before the transaction is conducted, the consumer
authenticates herself to the payment processing network using the
mobile phone. The merchant provides location information to the
consumer's mobile phone. The location information may include the
merchant location or a merchant identifier that may be used by the
payment processing network to identify the merchant's location. The
location of the mobile phone may be identified by a global
positioning system. Thus, if the GPS location of the mobile phone
corresponds to the merchant location, the payment processing
network considers the transaction to be valid and processes the
transaction.
[0019] In another illustrative example, the payment processing
network may use the location information from one transaction to
determine that a different transaction is not authentic.
Specifically, the other transaction may be conducted on the same
day as and at a different merchant location from the previous
transaction. For example, the same consumer may be identified as
initiating a transaction using a different portable consumer device
(e.g., a credit card) at a merchant in Los Angeles less than an
hour after the retail transaction was conducted in San Francisco.
Since it is nearly impossible for one person to be in Los Angeles
less than an hour after being in San Francisco, one of the portable
consumer devices is not authentic. Based on the GPS location of the
mobile phone and since the user already authenticated herself to
the payment processing network in San Francisco, the payment
processing network would not recognize as valid the credit card
transaction at the merchant in Los Angeles.
[0020] Some embodiments of the present invention can be used with
standard payment processing systems. An exemplary payment
processing system is described in further detail below.
[0021] FIG. 1 shows a payment processing system 20 that can be used
in embodiments of the present invention. The system 20 includes a
merchant 22 and an acquirer 24 associated with the merchant 22. In
a typical payment transaction, a consumer 30 may purchase goods or
services at the merchant 22 using a portable consumer device such
as a mobile communication device 32 or a payment card 31 that is
configured to facilitate a payment transaction with the merchant
22. The acquirer 24 can communicate with an issuer 28 via a payment
processing network 26. The payment processing network 26 may
include a server computer 26(a), and a database 26(b) operatively
coupled to the server computer 26(a). The server computer 26(a) may
comprise a processor and a computer readable medium coupled to the
processor. The computer readable medium may comprise code for
receiving first location information associated with a particular
location; code for receiving second location information associated
with the particular location; and code for determining that a
portable consumer device is authentic when the first location
information corresponds to the second location information. The
database 26(b) may comprise information including a lookup table
which correlates merchant identifiers with specific geographic
locations. For example, a merchant identifier 12389 may correspond
to a geographic location of a vendor such as Acme Food, at 1 Brown
Street, San Francisco, Calif.
[0022] The acquirer 24 is typically a bank that has a merchant
account. The issuer 28 may also be a bank, but could also be a
business entity such as a retail store. Some entities are both
acquirers and issuers, and embodiments of the invention include
such entities. The issuer 28 may also operate a server computer
28(a), which may have a computer readable medium comprising code
for performing the functions that the issuer 28 performs. A
database 28(b) comprising account information and other information
may be operatively coupled to the server computer 28(a).
[0023] The consumer 30 may be an individual, or an organization
such as a business that is capable of purchasing goods or
services.
[0024] Although portable consumer devices in the form of phones and
cards have been described above, portable consumer devices may have
other forms. For example, suitable portable consumer devices may
also include PDAs, mobile computers, key fobs, etc.
[0025] The payment processing network 26 may include data
processing subsystems, networks, and operations used to support and
deliver authorization services, exception file services, and
clearing and settlement services. An exemplary payment processing
network may include VisaNet.TM.. Payment processing networks such
as VisaNet.TM. are able to process credit card transactions, debit
card transactions, and other types of commercial transactions.
VisaNet.TM., in particular, includes a Visa Integrated Payments
(VIP) system which processes authorization requests and a Base II
system which performs clearing and settlement services.
[0026] The payment processing network 26 may include a server
computer 26(a) and a database 26(b) operatively coupled to the
server computer 26(a). A server computer is typically a powerful
computer or cluster of computers. For example, the server computer
can be a large mainframe, a minicomputer cluster, or a group of
servers functioning as a unit. In one example, the server computer
may be a database server coupled to a Web server. The payment
processing network 26 may use any suitable wired or wireless
network, including the Internet.
[0027] A global positioning system (GPS) 36 can be coupled to the
payment processing network 26 and the mobile communication device
32. Location information from the global positioning system 36 can
be used to authenticate the portable consumer device being used
based on the location of the mobile communication device 32 and the
location of the merchant 22. As those having ordinary skill in the
art would appreciate, any mobile communication device may be
provided with a GPS receiver to identify the location of the mobile
communication device.
[0028] The merchant 22 may also have, or may receive communications
from, an access device 34 that can interact with the payment card
31 and/or the mobile communication device 32. In FIG. 1, the access
device 34 is located at the merchant 22.
[0029] The access devices according to embodiments of the invention
can be in any suitable form. Examples of access devices include
point of sale (POS) devices, cellular telephones, PDAs, personal
computers (PCs), tablet PCs, handheld specialized readers, set-top
boxes, electronic cash registers (ECRs), automated teller machines
(ATMs), virtual cash registers (VCRs), kiosks, security systems,
access systems, and the like.
[0030] If the access device 34 is a POS terminal, any suitable POS
terminal may include a reader 34(a), a processor 34(b) and a
computer readable medium 34(c). The reader 34(b) may include any
suitable contact or contactless mode of operation. For example,
exemplary card readers can include radio frequency (RF) antennas,
magnetic stripe readers, etc., to interact with the portable
consumer device 32.
[0031] In an embodiment of the invention, the consumer 30 purchases
a good or service at the merchant 22 using the mobile computing
device 32 or the payment card 31. The mobile portable computing
device 32 or the payment card 31 can interact with the access
device 34 such as a POS terminal at the merchant 22. For example,
the consumer 30 may initiate a transaction by causing either the
payment card 31 or the mobile communication device 32 to pass by
the reader 34(b) of the access device 34 so that the access device
34 can read information from the payment card 31 or the mobile
communication device 32.
[0032] The access device 34 can then generate an authorization
request message. The authorization request message may include
information such as the transaction amount, a merchant identifier,
CVV (card verification value), PAN (primary account number), and
other information. The authorization request message is then
forwarded to the acquirer 24. After receiving the authorization
request message, the authorization request message is then sent to
the server computer 26(a) in the payment processing network 26.
[0033] At some point in time, the mobile communication device 32
can send its location information directly to the server computer
26(a) in the payment processing network 26, or the GPS system 36
may send the mobile communication device location information to
the server computer 26(a) in the payment processing network 26.
[0034] The server computer 26(a) in the payment processing network
26 can then determine if the portable consumer device and/or the
consumer is authentic. The server computer 26(a) can compare the
location information received from the mobile communication device
32 with the location of the merchant 22. The server computer 26(a)
may determine the location of the merchant 22 by determining a
physical address or geographic coordinates that correspond to the
merchant identifier received in the authorization request message.
If the location information received from the two different sources
matches, then the server computer 26(a) can determine that the
transaction is authentic. If the location information received from
the two different sources does not match, then the server computer
26(a) can determine that the transaction is not authentic. For
example, if the merchant is located in Los Angeles, and the
location of the mobile communication device 32 is in New York, then
the server computer 26(a) may determine that the consumer 30 or the
portable consumer device is not authentic. Alternatively, the
server computer 26(a) may call the consumer 30 on the mobile
communication device 32 and may attempt to authenticate the
consumer 30 using challenge questions or the like.
[0035] The payment processing network 26 may then forward the
authorization request message including its determination as to
whether or not the transaction is authentic to the issuer 28.
[0036] After the issuer 28 receives the authorization request
message, the issuer 28 sends an authorization response message back
to the payment processing network 26 to indicate whether or not the
current transaction is authorized (or not authorized). For example,
the transaction may not be authorized if there are insufficient
funds or credit in the consumer's account. In another example, the
issuer 28 may receive information that the server computer 26(a) in
the payment processing network 26 has determined that the received
location information did not match. The issuer 28 may thereafter
determine that the transaction is too risky and the issuer 28 may
thereafter decline to authorize the transaction. The payment
processing network 26 then forwards the authorization response
message back to the acquirer 24. The acquirer 24 then sends the
response message back to the merchant 22.
[0037] The response message that is sent back to the merchant 22
may include an indication as to whether the server computer 26(a)
determined that the location information from the two different
sources matched. In some embodiments, the payment processing
network 26 could alternatively send its authentication
determination information to the merchant 22 before or after this
information is sent to the issuer 28.
[0038] It is noted that in other embodiments, the issuer 28,
instead of the payment processing network 26, could perform the
authentication process described above.
[0039] After the merchant 22 receives the authorization response
message, the access device 34 at the merchant 22 may then provide
the authorization response message for the consumer 30. The
response message may be displayed by the access device 34, or may
be printed out on a receipt.
[0040] At the end of the day, a normal clearing and settlement
process can be conducted by the payment processing network 26. A
clearing process is a process of exchanging financial details
between the acquirer 24 and the issuer 28 to facilitate posting to
a consumer's account and reconciliation of the consumer's
settlement position.
[0041] In the transaction flow that is described above, the
authorization request message passes from the merchant 22 to the
issuer 28 via the payment processing network 26 and the acquirer
24. In other embodiments, transaction information may pass from the
merchant 22 to the issuer 28 via the mobile communication device 32
and the payment processing network 26, without passing through the
acquirer 24. Specifically, rather than providing authorization
through the merchant 22 and the acquirer 24, embodiments of the
invention may use the mobile communication device 32 to pass
information from the merchant 22 to the server computer 26(a) in
the payment processing network 26. The mobile communication device
32 may translate any information received from the merchant 22 so
that the server computer 26(a) in the payment processing network 26
may process and transmit the information to the issuer 28.
[0042] In such embodiments, the mobile communication device 32 may
communicate directly with the access device 34 at the merchant 22
and may gather information from the merchant 22 (or vice versa)
before sending the information directly to the payment processing
network 26. For example, the merchant 22 may sign a transaction and
may send an electronic signature to the mobile communication device
32, and the mobile communication device 32 may forward the
electronic signature and other transaction information to the
payment processing network 26. In some embodiments, the merchant's
POS terminal may receive an identifier such as a verification
value, a phone number, or a SIM card number from the mobile
communication device 32. The POS terminal may then return this
information to the mobile communication device 32 along with a
merchant identifier or a POS terminal identifier. This information
may be sent to the payment processing network 26 directly via the
mobile communication device 32 as evidence that the mobile
communication device 32 and the POS terminal were interacting
during the transaction.
[0043] In some embodiments, before a transaction is initiated at
the merchant 22, the consumer 30 can authenticate himself to the
mobile communication device 32. The consumer 30 may authenticate
himself to the mobile communication device 32 in a variety of
different ways. Exemplary authentication mechanisms for a mobile
communication device include entering a personal identification
number (PIN) or entering a challenge response into the mobile
communication device 32, or any other method of verifying the
consumer's identity at the mobile communication device 32.
[0044] After the consumer 30 authenticates himself to the mobile
communication device 32, the mobile communication device 32 may be
used to initiate a transaction at the merchant 22. For example, the
consumer 30 may select goods to purchase at the merchant 22. The
consumer may pay for the goods at a POS terminal using the mobile
communication device 32. During the transaction process, the
merchant 22 provides location information to the mobile
communication device 32. For example, the location information may
include a unique merchant identifier that is used to identify the
location of the merchant 22. The merchant identifier may be in the
form of a physical address or may be in the form of a code
associated with a physical address that may be stored in the
database 26(b) in the payment processing network 26. The mobile
communication device 32 then provides the location information to
the payment processing network 26. The global positioning system 36
may be used to identify the location of the mobile communication
device 32 and to provide the GPS location of the mobile
communication device 32 to the payment processing network 26.
Alternatively, the mobile communication device 32 may transmit
location information directly to the payment processing network
26.
[0045] As in the prior embodiments, the payment processing network
26 can determine that the mobile communication device 32 is
authentic when the merchant location corresponds to the GPS
location of the mobile communication device 32. Conversely, when
the mobile communication device 32 is identified as being at a
different location from the merchant 22 (e.g., in a different
postal code or in a different city), the payment processing network
26 can determine that the mobile communication device 32 being used
and/or the consumer is not authentic.
[0046] In some embodiments, the payment processing network 26 may
use the merchant and mobile communication device location
information associated with a transaction to deny authentication of
a subsequent transaction. For example, a consumer may be identified
as initiating a transaction using a different payment device (e.g.,
a debit card) at a different merchant less than ten minutes after a
previous transaction was conducted in a different time zone using
the mobile communication device 32. Based on the GPS location of
the mobile communication device 32 and since the user already
authenticated herself to the payment processing network 26 for the
previous transaction, the payment processing network 26 would not
authenticate the debit card transaction due to the high probability
that the debit card transaction is fraudulent.
[0047] FIGS. 2 and 3 are flow diagrams illustrating some specific
embodiments.
[0048] FIG. 2 is a flow diagram illustrating a method for
authenticating a mobile communication device based on locations of
the mobile communication device and a merchant where the consumer
is conducting a transaction.
[0049] Before the consumer initiates the transaction, the consumer
authenticates himself to the mobile communication device (step
200). The consumer may authenticate himself to the mobile
communication device in a variety of different ways. Exemplary
authentication mechanisms include entering a personal
identification number (PIN), entering a challenge response or by
any other method of verifying consumer identity to the mobile
communication device.
[0050] After the consumer authenticates himself to the mobile
communication device, the mobile communication device or a payment
card is used to initiate the transaction at the merchant (step
210). For example, the consumer may select goods to purchase at the
merchant. The consumer may pay for the goods at a POS terminal
using the mobile communication device. During the transaction
process, the POS terminal generates transaction information. The
transaction information may include the time of the transaction, a
description of the goods purchased during the transaction, the cost
of the goods, the location of the merchant, and the like.
[0051] The merchant provides the merchant location information to
the mobile communication device (step 220). The merchant location
information may identify the location of the merchant or may
include a unique merchant identifier that is used by the payment
processing network to identify the merchant location.
[0052] The mobile communication device provides the merchant
location information to the payment processing network (step 230).
Thus, the payment processing network may identify the merchant
location where the transaction was initiated by the mobile
communication device.
[0053] The location of the mobile communication device is
identified using a global positioning system (step 240). The global
positioning system provides the GPS location of the mobile
communication device to the payment processing network.
[0054] A determination is made whether the GPS location of the
mobile communication device corresponds to the merchant location
(step 250). The payment processing network considers the mobile
communication device to be authentic when the merchant location
corresponds to the GPS location of the mobile communication device.
For example, when the mobile communication device is identified as
being in the same location as the merchant, the payment processing
network authenticates the transaction (step 260).
[0055] The payment processing network may determine that the mobile
communication device is not authentic when the merchant location
does not correspond to the GPS location of the mobile communication
device. For example, when the mobile communication device is
identified as being at a different location from the merchant
(e.g., in a different postal zone), the payment processing network
does not process the transaction because the transaction is not
authentic (step 270). Authentication processing may then terminate,
or may proceed in another manner (e.g., a phone call may be made to
the mobile communication device).
[0056] FIG. 3 is a flow diagram illustrating a method for denying
authentication of a mobile communication device conducting a
subsequent transaction based on authentication of a different
mobile communication device used in a previous transaction. A
mobile communication device used in a previous transaction
conducted at a merchant is authenticated as described above with
reference to FIG. 2 (step 300). Thus, the consumer is verified as
being at the merchant location at the time the previous transaction
was initiated and completed.
[0057] The payment processing network receives a request to
authenticate a mobile communication device used in a subsequent
transaction (step 310). The subsequent transaction may be initiated
at a different merchant than the previous transaction.
[0058] The payment processing network identifies the merchant
location and time of the previous transaction and the subsequent
transaction (step 320). For example, the same consumer may be
identified as initiating a transaction using a different mobile
communication device (e.g., a credit card) at a merchant in a
different part of the country less than two hours after the
previous transaction was processed.
[0059] A determination is made whether the subsequent transaction
is valid based on the time and merchant location of each of the
previous and subsequent transactions (step 330).
[0060] In the event that the subsequent transaction is initiated at
a time and/or location that is impossible to attain in view of the
time and merchant location of the previous transaction, the
transaction is not authenticated and the payment processing network
does not process the subsequent transaction (step 340). For
example, a subsequent transaction would not be considered as valid
at a merchant that is 200 miles from the merchant location of the
previous transaction and the previous transaction took place less
than thirty minutes prior to receiving the request to authenticate
the mobile communication device used to initiate the subsequent
transaction. Based on the consumer's verified presence at the
merchant location for the previous transaction, the payment
processing network would not process the subsequent transaction
because it is highly likely that the subsequent transaction is
fraudulent.
[0061] In the event that the subsequent transaction is initiated at
a time and/or location that is likely valid in view of the time and
merchant location of the previous transaction, the transaction is
authenticated and processed (step 350). For example, a subsequent
transaction would be considered valid at a merchant that is in the
same postal zone as the merchant location of the previous
transaction and the previous transaction took place more than four
hours prior to the initiation of the subsequent transaction.
[0062] FIG. 4 shows typical components or subsystems of a computer
apparatus. Such components or any subset of such components may be
present in various components shown in FIG. 1, including the access
device 34, server computers 26(a), 28(a), etc. The subsystems shown
in FIG. 4 are interconnected via a system bus 400. Additional
subsystems such as a printer 410, keyboard 420, fixed disk 430,
monitor 440, which is coupled to display adapter 450, and others
are shown. Peripherals and input/output (I/O) devices, which couple
to I/O controller 460, can be connected to the computer system by
any number of means known in the art, such as serial port 470. For
example, serial port 470 or external interface 480 can be used to
connect the computer apparatus to a wide area network such as the
Internet, a mouse input device, or a scanner. The interconnection
via system bus 400 allows the central processor 490 to communicate
with each subsystem and to control the execution of instructions
from system memory 495 or the fixed disk 430, as well as the
exchange of information between subsystems. The system memory 495
and/or the fixed disk 430 may embody a computer readable
medium.
[0063] FIG. 5 shows a block diagram of some components of a mobile
communication device 500. The mobile communication device 500 may
comprise a computer readable medium 510 and a body 520. The
computer readable medium 510 may be present within the body 520, or
may be detachable from it. The body 520 may be in the form of a
plastic substrate, housing, or other structure. The computer
readable medium 510 may be a memory that stores data and may be in
any suitable form including a magnetic stripe, a memory chip, etc.
The computer readable medium 510 may comprise code for receiving
first location information associated with a particular location,
code for receiving second location information associated with the
particular location, and code for determining that a portable
consumer device is authentic when the first location information
corresponds to the second location information.
[0064] The mobile communication device 500 may further include a
contactless element 530, which is typically implemented in the form
of a semiconductor chip (or other data storage element) with an
associated wireless transfer (e.g., data transmission) element,
such as an antenna. Data or control instructions transmitted via a
cellular network may be applied to the contactless element 530 by a
contactless element interface (not shown). The contactless element
interface functions to permit the exchange of data and/or control
instructions between the mobile device circuitry (and hence the
cellular network) and the contactless element 530.
[0065] The contactless element 530 is capable of transferring and
receiving data using a near field communications ("NFC") capability
(or near field communications medium) typically in accordance with
a standardized protocol or data transfer mechanism (e.g., ISO
14443/NFC). Near field communications capability is a short-range
communications capability, such as RFID, Bluetooth.TM., infra-red,
or other data transfer capability that can be used to exchange data
between the mobile communication device 500 and the payment
processing network 26, or it can be used to exchange data between
the mobile communication device 500 and the access device 34. Thus,
the mobile communication device 500 is capable of communicating and
transferring data and/or control instructions via both cellular
network and near field communications capability.
[0066] The mobile communication device 500 may also include a
processor 540 (e.g., a microprocessor) for processing the functions
of the mobile communication device 500 and a display 550 to allow
the consumer to view offers associated with items that may be
purchased and other information and messages. The mobile
communication device 500 may further include input elements 560 to
allow a user to input information into the mobile communication
device 500, a speaker 570 to allow the user to hear voice
communication, music, etc., and a microphone 580 to allow the user
to transmit her voice through the mobile communication device 500.
The mobile communication device 500 may also include an antenna 590
for wireless data transfer (e.g., data transmission).
[0067] As described above, a mobile communication device cannot
conduct any transaction without the user's permission because the
user must authenticate himself to the device before initiating a
transaction at a merchant. The transaction information is received
by the payment processing network directly from the consumer via
the mobile communication device rather than from the merchant and
the acquirer. The geographic locations of the merchant and the
mobile communication device are identified such that if the
locations correspond, the mobile communication device is
authenticated and the transaction is processed.
[0068] In addition, as described above, the payment processing
network may use the location information from an authenticated
mobile communication device used in a previous transaction to
determine whether a subsequent transaction is valid. This feature
is especially useful when different payment devices are used for
the different transactions. If the subsequent transaction is
identified as not valid, the transaction is not processed due to
the unlikelihood that the authorized consumer is conducting the
subsequent transaction.
[0069] It should be understood that the present invention as
described above can be implemented in the form of control logic
using computer software in a modular or integrated manner. Based on
the disclosure and teachings provided herein, a person of ordinary
skill in the art will know and appreciate other ways and/or methods
to implement the present invention using hardware and a combination
of hardware and software.
[0070] Any of the software components or functions described in
this application may be implemented as software code to be executed
by a processor using any suitable computer language, such as, for
example, Java, C++ or Perl, using, for example, conventional or
object-oriented techniques. The software code may be stored as a
series of instructions, or commands on a computer readable medium,
such as a random access memory (RAM), a read only memory (ROM), a
magnetic medium such as a hard-drive or a floppy disk, or an
optical medium such as a CD-ROM. Any such computer readable medium
may reside on or within a single computational apparatus, and may
be present on or within different computational apparatuses within
a system or network.
[0071] The above description is illustrative and is not
restrictive. Many variations of the invention will become apparent
to those skilled in the art upon review of the disclosure. The
scope of the invention should, therefore, be determined not with
reference to the above description, but instead should be
determined with reference to the pending claims along with their
full scope or equivalents. For example, although GPS location
techniques are described above, embodiments of the invention can
use other location based techniques including the use of signal
strength associated with a mobile communication device to determine
proximity to a cell tower, etc.
[0072] One or more features from any embodiment may be combined
with one or more features of any other embodiment without departing
from the scope of the invention.
[0073] A recitation of "a", "an" or "the" is intended to mean "one
or more" unless specifically indicated to the contrary.
* * * * *